IPTABLES TARGET EXTENSIONS


iptables can use extended target modules: the following are included in
       the standard distribution.

   BALANCE
       This  allows  you to DNAT connections in a round-robin way over a given
       range of destination addresses.

       --to-destination ipaddr-ipaddr
              Address range to round-robin over.

   CLASSIFY
       This module allows you to set the skb->priority value (and  thus  clas-
       sify the packet into a specific CBQ class).

       --set-class MAJOR:MINOR
              Set the major and minor class value.

   CLUSTERIP
       This  module  allows  you  to  configure a simple cluster of nodes that
       share a certain IP and MAC address without an explicit load balancer in
       front  of  them.   Connections  are  statically distributed between the
       nodes in this cluster.

       --new  Create a new ClusterIP.  You always have  to  set  this  on  the
              first rule for a given ClusterIP.

       --hashmode mode
              Specify  the hashing mode.  Has to be one of sourceip, sourceip-
              sourceport, sourceip-sourceport-destport

       --clustermac mac
              Specify the ClusterIP MAC address.  Has to be a link-layer  mul-
              ticast address

       --total-nodes num
              Number of total nodes within this cluster.

       --local-node num
              Local node number within this cluster.

       --hash-init rnd
              Specify the random seed used for hash initialization.

   CONNMARK
       This module sets the netfilter mark value associated with a connection

       --set-mark mark[/mask]
              Set connection mark. If a mask is specified then only those bits
              set in the mask is modified.

       --save-mark [--mask mask]
              Copy the netfilter packet mark value to the connection mark.  If
              a mask is specified then only those bits are copied.

       --restore-mark [--mask mask]
              Copy the connection mark value to the packet. If a mask is spec-
              ified then only those bits are copied. This is only valid in the
              mangle table.

   DNAT
       This  target is only valid in the nat table, in the PREROUTING and OUT-
       PUT chains, and user-defined chains which are only  called  from  those
       chains.  It specifies that the destination address of the packet should
       be modified (and all future packets in this  connection  will  also  be
       mangled),  and rules should cease being examined.  It takes one type of
       option:

       --to-destination ipaddr[-ipaddr][:port-port]
              which can specify a single new destination IP address, an inclu-
              sive  range of IP addresses, and optionally, a port range (which
              is only valid if the rule also specifies -p tcp or -p udp).   If
              no port range is specified, then the destination port will never
              be modified.

              You can add several --to-destination options.   If  you  specify
              more  than  one destination address, either via an address range
              or multiple --to-destination options, a simple round-robin  (one
              after another in cycle) load balancing takes place between these
              adresses.

   DSCP
       This target allows to alter the value of the DSCP bits within  the  TOS
       header  of  the IPv4 packet.  As this manipulates a packet, it can only
       be used in the mangle table.

       --set-dscp value
              Set the DSCP field to a numerical value (can be decimal or hex)

       --set-dscp-class class
              Set the DSCP field to a DiffServ class.

   ECN
       This target allows to selectively work around known ECN blackholes.  It
       can only be used in the mangle table.

       --ecn-tcp-remove
              Remove all ECN bits from the TCP header.  Of course, it can only
              be used in conjunction with -p tcp.

   LOG
       Turn on kernel logging of matching packets.  When this  option  is  set
       for  a rule, the Linux kernel will print some information on all match-
       ing packets (like most IP header fields) via the kernel log  (where  it
       can be read with dmesg or syslogd(8)).  This is a "non-terminating tar-
       get", i.e. rule traversal continues at the next rule.  So if  you  want
       to  LOG  the  packets  you refuse, use two separate rules with the same
       matching criteria, first using target LOG then DROP (or REJECT).

       --log-level level
              Level of logging (numeric or see syslog.conf(5)).

       --log-prefix prefix
              Prefix log messages with the specified prefix; up to 29  letters
              long, and useful for distinguishing messages in the logs.

       --log-tcp-sequence
              Log  TCP sequence numbers. This is a security risk if the log is
              readable by users.

       --log-tcp-options
              Log options from the TCP packet header.

       --log-ip-options
              Log options from the IP packet header.

       --log-uid
              Log the userid of the process which generated the packet.

   MARK
       This is used to set  the  netfilter  mark  value  associated  with  the
       packet.   It  is only valid in the mangle table.  It can for example be
       used in conjunction with iproute2.

       --set-mark mark

   MASQUERADE
       This target is only valid in the nat table, in the  POSTROUTING  chain.
       It  should  only  be used with dynamically assigned IP (dialup) connec-
       tions: if you have a static IP address, you should use the SNAT target.
       Masquerading is equivalent to specifying a mapping to the IP address of
       the interface the packet is going out, but also  has  the  effect  that
       connections  are  forgotten  when the interface goes down.  This is the
       correct behavior when the next dialup is  unlikely  to  have  the  same
       interface  address (and hence any established connections are lost any-
       way).  It takes one option:

       --to-ports port[-port]
              This specifies a range of source ports to  use,  overriding  the
              default SNAT source port-selection heuristics (see above).  This
              is only valid if the rule also specifies -p tcp or -p udp.

   MIRROR
       This is an experimental demonstration target which inverts  the  source
       and destination fields in the IP header and retransmits the packet.  It
       is only valid in the INPUT, FORWARD and PREROUTING  chains,  and  user-
       defined  chains which are only called from those chains.  Note that the
       outgoing packets are NOT seen by any packet filtering  chains,  connec-
       tion tracking or NAT, to avoid loops and other problems.

   NETMAP
       This  target  allows you to statically map a whole network of addresses
       onto another network of addresses.  It can only be used from  rules  in
       the nat table.

       --to address[/mask]
              Network  address  to map to.  The resulting address will be con-
              structed in the following way: All ’one’ bits in  the  mask  are
              filled in from the new ‘address’.  All bits that are zero in the
              mask are filled in from the original address.

   NOTRACK
       This target disables connection tracking for all packets matching  that
       rule.

       It can only be used in the
              raw table.

   REDIRECT
       This  target is only valid in the nat table, in the PREROUTING and OUT-
       PUT chains, and user-defined chains which are only  called  from  those
       chains.  It alters the destination IP address to send the packet to the
       machine itself (locally-generated packets are mapped to  the  127.0.0.1
       address).  It takes one option:

       --to-ports port[-port]
              This  specifies  a  destination  port  or range of ports to use:
              without this, the destination port is never  altered.   This  is
              only valid if the rule also specifies -p tcp or -p udp.

   REJECT
       This  is  used  to send back an error packet in response to the matched
       packet: otherwise it is equivalent to DROP so it is a terminating  TAR-
       GET,  ending  rule  traversal.  This target is only valid in the INPUT,
       FORWARD and OUTPUT chains,  and  user-defined  chains  which  are  only
       called  from those chains.  The following option controls the nature of
       the error packet returned:

       --reject-with type
              The type given can be
               icmp-net-unreachable
               icmp-host-unreachable
               icmp-port-unreachable
               icmp-proto-unreachable
               icmp-net-prohibited
               icmp-host-prohibited or
               icmp-admin-prohibited (*)
              which return the appropriate ICMP error  message  (port-unreach-
              able is the default).  The option tcp-reset can be used on rules
              which only match the TCP protocol: this causes a TCP RST  packet
              to  be  sent  back.   This  is  mainly useful for blocking ident
              (113/tcp) probes which frequently occur  when  sending  mail  to
              broken mail hosts (which won’t accept your mail otherwise).

       (*)  Using  icmp-admin-prohibited  with  kernels that do not support it
       will result in a plain DROP instead of REJECT

   ROUTE
       This  is  used  to explicitly override the core network stack’s routing
       decision.  mangle table.

       --oif ifname
              Route the packet through ‘ifname’ network interface

       --iif ifname
              Change the packet’s incoming interface to ‘ifname’

       --gw IP_address
              Route the packet via this gateway

       --continue
              Behave like a non-terminating target and continue traversing the
              rules.  Not valid in combination with ‘--iif’ or ‘--tee’

       --tee  Make a copy of the packet, and route that copy to the given des-
              tination. For the original, uncopied packet, behave like a  non-
              terminating target and continue traversing the rules.  Not valid
              in combination with ‘--iif’ or ‘--continue’

   SET
       This modules adds and/or deletes entries from  IP  sets  which  can  be
       defined by ipset(8).

       --add-set setname flag[,flag...]
              add the address(es)/port(s) of the packet to the sets

       --del-set setname flag[,flag...]
              delete  the  address(es)/port(s)  of  the  packet from the sets,
              where flags are src and/or dst and there can be no more than six
              of them.

       The bindings to follow must previously be defined in order to use
              multilevel adding/deleting by the SET target.

   SNAT
       This  target  is only valid in the nat table, in the POSTROUTING chain.
       It specifies that the source address of the packet should  be  modified
       (and  all  future packets in this connection will also be mangled), and
       rules should cease being examined.  It takes one type of option:

       --to-source  ipaddr[-ipaddr][:port-port]
              which can specify a single new source IP address,  an  inclusive
              range  of  IP  addresses, and optionally, a port range (which is
              only valid if the rule also specifies -p tcp or -p udp).  If  no
              port  range  is  specified,  then source ports below 512 will be
              mapped to other ports below 512:  those  between  512  and  1023
              inclusive  will  be  mapped to ports below 1024, and other ports
              will be mapped to 1024 or above. Where possible, no port  alter-
              ation will occur.

              You  can  add  several --to-source options.  If you specify more
              than one source address, either via an address range or multiple
              --to-source  options, a simple round-robin (one after another in
              cycle) takes place between these adresses.

   TCPMSS
       This target allows to alter the MSS value of TCP SYN packets,  to  con-
       trol  the maximum size for that connection (usually limiting it to your
       outgoing interface’s MTU minus 40).  Of course, it can only be used  in
       conjunction with -p tcp.
       This  target  is  used to overcome criminally braindead ISPs or servers
       which block ICMP Fragmentation Needed packets.  The  symptoms  of  this
       problem are that everything works fine from your Linux firewall/router,
       but machines behind it can never exchange large packets:
        1) Web browsers connect, then hang with no data received.
        2) Small mail works fine, but large emails hang.
        3) ssh works fine, but scp hangs after initial handshaking.
       Workaround: activate this option and add a rule to your  firewall  con-
       figuration like:
        iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN \
                    -j TCPMSS --clamp-mss-to-pmtu

       --set-mss value
              Explicitly set MSS option to specified value.

       --clamp-mss-to-pmtu
              Automatically clamp MSS value to (path_MTU - 40).

       These options are mutually exclusive.

   TOS
       This  is  used to set the 8-bit Type of Service field in the IP header.
       It is only valid in the mangle table.

       --set-tos tos
              You can use a numeric TOS values, or use
               iptables -j TOS -h
              to see the list of valid TOS names.

   TRACE
       This target has no options.  It just turns on packet  tracing  for  all
       packets that match this rule.

   TTL
       This is used to modify the IPv4 TTL header field.  The TTL field deter-
       mines how many hops (routers) a packet can traverse until it’s time  to
       live is exceeded.

       Setting  or  incrementing the TTL field can potentially be very danger-
       ous,
              so it should be avoided at any cost.

       Don't  ever set or increment the value on packets that leave your local
       network!
              mangle table.

       --ttl-set value
              Set the TTL value to ‘value’.

       --ttl-dec value
              Decrement the TTL value ‘value’ times.

       --ttl-inc value
              Increment the TTL value ‘value’ times.

   ULOG
       This  target provides userspace logging of matching packets.  When this
       target is set for a rule, the Linux kernel will multicast  this  packet
       through a netlink socket. One or more userspace processes may then sub-
       scribe to various multicast groups and receive the packets.  Like  LOG,
       this  is  a  "non-terminating target", i.e. rule traversal continues at
       the next rule.

       --ulog-nlgroup nlgroup
              This specifies the netlink group (1-32) to which the  packet  is
              sent.  Default value is 1.

       --ulog-prefix prefix
              Prefix  log messages with the specified prefix; up to 32 charac-
              ters long, and useful for distinguishing messages in the logs.

       --ulog-cprange size
              Number of bytes to be copied to userspace.  A value of 0  always
              copies the entire packet, regardless of its size.  Default is 0.

       --ulog-qthreshold size
              Number of packet to queue inside kernel.  Setting this value to,
              e.g.  10 accumulates ten packets inside the kernel and transmits
              them as one netlink multipart message to userspace.  Default  is
              1 (for backwards compatibility).

留言

這個網誌中的熱門文章

vim 的取代置換功能「s」

Wi-Fi Multimedia (WMM)

CoAP基礎